Patent Application
20050223233
This application is related to and claims the benefit of Japanese Patent Application No. 2004-108938, filed Apr. 1, 2004, in Japan, the disclosure of which is incorporated herein by reference.
1. Field of the Invention
The present invention relates to providing a secured access to data, such as personal information, etc., stored in a storage medium of a personal computer.
2. Description of the Related Art
Generally, when using a personal computer or other devices, a password or a personal identification number (hereinafter, referred to as a PIN) of a storage medium is input for each access to data stored in the storage medium to access the data, such as personal information, in the storage medium.
While requiring input of a PIN provides security and prevents unwanted disclosure of data, such as personal information or other secured data, in the storage medium, it is inconvenient because the PIN of the storage medium must be repeatedly input for each access to the data within the storage medium.
Accordingly, the following methods of accessing a storage medium have been considered in order to solve this problem. A smart card will be described as an example of a storage medium.
The smart card is formed as a plastic card about the size of a credit card into which an IC chip, such as a CPU, etc., is provided.
Initially, the PIN of the smart card is input in a personal computer or other smart card processing/reading devices to access data, such as personal information or other secured data, of the smart card. The input PIN of the smart card is then stored in a memory of the personal computer.
When subsequent access is made to the data in the smart card, the PIN of the smart card stored in the memory is collated or compared with the PIN stored in the smart card. When these PiNs match, access can be made to the data in the smart card.
Accordingly, it is no longer necessary to repeatedly input the PIN for each access to data in the smart card, applications of the smart card can be more simplified and the convenience of using the smart card can also be improved.
Moreover, Japanese Patent Application Laid-Open No. 6-115287 discloses a means for improving convenience of the smart card in addition to the previously discussed smart card access method.
Initially, the PIN of the smart card is input to access the data, such as personal information, etc., in the smart card using a personal computer.
When the PIN of the smart card is collated, “authenticated condition” information is stored to a nonvolatile memory provided in the smart card.
Accordingly, when subsequent access is made to the smart card and the “authenticated condition” information is stored in the nonvolatile memory of the smart card, the data in the smart card can be accessed without collation of the PIN.
Accordingly, it is no longer necessary to repeatedly input the PIN for each access to the data in the smart card. As a result, application of the smart card can be more simplified and use of the smart card becomes more convenient.
However, existing methods of accessing a smart card have the following problems.
In cases where the PIN of a smart card is stored in the memory of the personal computer to make subsequent input of the PIN unnecessary, because the PIN is stored on the memory of the personal computer, security of the password or the PIN may be compromised through a network with which the personal computer is connected, resulting in deterioration of security though convenience of smart card can be improved.
Moreover, when subsequent input of the password or the PIN is no longer required by storing the “authenticated condition” information in the nonvolatile memory provided in the smart card after collation of the PIN of smart card, if the smart card is lost while it is in the authenticated condition, a third party is capable of accessing the data, such as personal information, etc., in the smart card by taking advantage of the authenticated condition of the smart card.
For example, if the smart card authenticated by a company is lost, the third party can freely access the data therein, from outside of the company. Accordingly, risk of disclosure of data, such as personal information, stored in a smart card is remarkably increased.
An aspect of the present invention is therefore to only require a single input of a smart card PIN while improving convenience of use of the smart card and eliminating a security problem presented when storing the smart card PIN or a smart card password on a memory of a personal computer and/or when the smart card is lost and the authenticated condition is stored on the smart card.
In order to solve the problems described above, an application authentication program is provided that uses a password code for allowing access to information stored in a storage medium. The application authentication program controls a computer to execute operations including, confirming connection with a storage medium, encrypting an input password code for generating an encrypted password code, transmitting identification information for identifying a computer which has generated the encrypted password code and corresponding encrypted password code to the storage medium, and decoding the encrypted password code for confirming whether the identification information is stored in the storage medium when connection with the storage medium is subsequently confirmed and for decoding the corresponding encrypted password code upon determining that the identification information is stored.
According to another aspect of the application authentication program of the present invention, the password code encrypting includes controlling a computer to generate the encrypted password code and set an effective period for the encrypted code password code.
Moreover, the application authentication method of the present invention uses a password code for allowing access to information stored in a storage medium and controls a computer to execute a storage medium confirming sequence for confirming whether connection with the storage medium is set up, a password code requesting sequence for conforming whether connection with the storage medium is set up, a password code encrypting sequence for generating the encrypted password code by encrypting an input password code, a storage medium transmitting sequence for transmitting identification information for identifying a computer which has generated the encrypted password code and corresponding encrypted password code to the storage medium, and an encrypted password code decoding sequence for confirming whether the identification information is stored in the storage medium when the connection with the storage medium is confirmed and for decoding the corresponding encrypted password code upon determining that the identification information is stored.
Additional aspects and/or advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Accordingly, the present invention enables data to be protected from illegal access when a smart card is lost and allows convenient use of the smart card by requiring a PIN input only once.
Moreover, since the PIN is not cached in a memory on the personal computer, disclosure of the PIN due to the analysis of memory is prevented.
Reference will now be made in detail to the present invention, examples of which are illustrated in the accompanying drawings.
Further,
According to an aspect of the present invention, a user inserts the smart card 1 into the smart card reader/writer 3 connected with the personal computer 2. The user inputs the PIN via the PIN input device 4 to access the PIN protected storage area 6 and attempts to cancel/override the data access protection of the PIN protected storage area 6.
When the computer of the smart card has authenticated the PIN, the personal computer 2 issues a certificate 9 (further below described in relation to
The certificate 9 issued by the personal computer 2 is given or assigned a public key. This public key is used to encrypt the input PIN and the encrypted PIN is stored in the free storage area 7 of the smart card 1 shown in
Thereafter, to access the PIN protected storage area 6, the personal computer 2 reads the encrypted PIN stored in the free storage area 7, decodes the PIN with a secret key in the certificate 9 stored in the memory 8 and also cancels data access protection of the card.
In this situation, it is possible to designate the term of validity to the certificate stored in the memory 8. Accordingly, it is also possible to designate the period in which the encrypted PIN stored in the free storage area 7 can be used.
Moreover, since the encrypted PIN stored in the free storage area 7 can be decoded only with the secret key in the certificate stored in the memory 8, if the card is lost, it is impossible to access the PIN protected storage area 6 from other personal computers or smart card processing devices.
When a plurality of encrypted PINs are stored in the free storage area 7, only predetermined user(s) are capable of realizing or effecting operations with a plurality of personal computers using the smart card.
In this case, for example, CPU data of the personal computer 2 and the encrypted PIN are correspondingly stored in order to identify the certificate on the personal computer 2 using which the encrypted PIN stored in the free storage area 7 has been encrypted.
The smart card 1 is connected with the personal computer 2 in order for the data in the smart card 1 to be read. The PIN is input using the PIN input device 4 in order to access the data stored in the PIN protected storage area 6 of the smart card 1. The input PIN is then stored in the memory 8 of the personal computer 2. When the input PIN is correct, access can be made to the data stored in the PIN protected storage area 6.
The personal computer 2 ciphers or encrypts the PIN stored in the memory 8 with a public key. Here, the encrypted PIN is expressed as “@!#?” in
Here, the smart card 1 is connected with the personal computer 2 to read the data in the smart card 1. The personal computer 2 reads the encrypted PIN “@!#?” stored in the free storage area 7. The PIN data stored in the free storage area 7 is the PIN data obtained by ciphering or encrypting the PIN. Accordingly, the data in the smart card 1 is accessed by authenticating the PIN data.
Accordingly, since the card PIN is never cached in the memory 8 of the personal computer 2, disclosure of the PIN data by analyzing the memory 8 or other types of access, such as through a network, are prevented.
Next, an operation of the present invention will be described in relation to an application log-on function using the smart card.
As shown in
A user stores the log-on display image information for identifying the log-on display image of application 31 into the log-on display image information storage file 35 using the log-on display image registration tool 32.
The log-on information, such as ID and password, to be input to the registered application log-on display image 31 is registered to or stored in the smart card 1 via the card access library 36 using the log-on information registration tool 33. In this case, the ID and/or password is stored into the PIN protected storage area 6 and the ID and/or password is protected or is accessible by using the key 38 stored in the encryption library 37.
The log-on engine 34 requests, as a permanent program, the log-on information to the smart card 1 when the log-on information registered to the smart card 1 matched with the log-on display image information stored in the log-on display image information file 35 is displayed. After the PIN protection is cancelled, the log-on information is read and is then transmitted to the log-on display image of the application 31. Accordingly, log-on to the application is attempted using the smart card 1.
Since the log-on information has generally been stored in the area protected by the PIN data, the internal application log-on information has been obtained by accurately collating the PIN data for the smart card 1 for each access to the smart card 1. But, in the present invention, such collation of the PIN data is required only for the first access.
The title name, password input field name, and ID input field name of the log-on display image of the application input are then stored in the log-on display image information file 35 (operation 404).
A password for logging on to the application is input (operation 501). Then, an ID for logging on to the application is input (operation 502). Access is made to the card access library 36 to store the password and ID input (operation 503).
Reference is made to the log-on display image information stored within the log-on display image information storage file 35 (operation 601).
The display image information being displayed at present is read (operation 602).
It is decided whether the log-on display image including the log-on display image information to which the reference is made in operation 601 is displayed or not (operation 603).
When the display image information displayed does not match with the log-on display image information to which the reference is made, the display image information displayed is read again.
When the display image information being displayed matches with the log-on display image information to which the reference is made, reference is made to the card access library 36 (operation 604).
It is decided using the card access library 36 whether the log-on information has been read successfully (operation 605).
When the log-on information of the log-on display image being displayed can be read, the log-on information is transmitted to the log-on display image (operation 606).
It is decided or determined whether the smart card is or has been inserted into the smart card reader/writer (operation 701).
When the smart card is not inserted, the log-on display image “Insert the card, please!” is displayed. The decision is “OK”, whether the smart card is inserted is decided again. When the decision is “cancel”, the access to the smart card is terminated (operation 702).
When it is decided that the smart card is inserted, the encrypted PIN is read from the free storage area (operation 703).
It is then decided or determined whether the encrypted PIN is read successfully or not (operation 704).
If the encrypted PIN is not read successfully, the logon display image “Input the PIN, please!” is displayed (operation 705). When the decision is “cancel”, access to the smart card is terminated. When the PIN is input and the decision is “OK”, the PIN is collated (operation 706).
If the collation of PIN is not successful, the log-on display image “Input the PIN, please!” is displayed. When the collation of PIN is successful, a certificate is issued (operations 707 and 708).
Encryption of the PIN which has been collated successfully is requested from the encryption library 37 (operation 709).
The PIN encrypted by the encryption library 37 is stored in the free storage area and access is then made to the ID and password in the smart card (operations 710 and 714).
When the encrypted PIN is read successfully in operation 704, decoding of the encrypted PIN is requested from the encryption library (operation 711).
The decoded PIN is collated (operation 712) and if the collation of the PIN is not successful, the process shifts to the operation 705. When the collation of PIN is successful, access is made to the ID and password in the smart card (operation 714).
In order to use a plurality of personal computers with one smart card, the PINs encrypted by respective personal computers are stored in memory with the data size of 32 bytes and the ID information of the corresponding personal computer CPUs is stored with the data size of 16 bytes. The data indicating the number of PINs encrypted is stored with the data size of one byte. Accordingly, when it is requested to use the smart card with a particular personal computer, if the corresponding encrypted PIN and the ID information of CPU exist within the free storage area, such information is read to try to read the personal information stored in the PIN protected storage area.
Next, modification examples of the embodiment or alternate embodiment of the smart card in the present invention and the other technical extension items will be itemized below.
In the above discussed embodiment, the password code is not restricted to a string of characters and combination of the ID and password. For example, it is also possible to protect personal information of users with authentication of a fingerprint or other biometric authentication techniques.
In the embodiment described above, application of the smart card is not restricted to a personal computer and may also be used in the other information apparatuses.
In above embodiment, the public key encryption system is introduced or described as the PIN encryption system. However, the present invention is not limited thereto and also allows employment of other secret key systems.
In above embodiment, the CPU information of the personal computer and encrypted PIN are stored correspondingly in order to identify with which personal computer's certificate the PIN has been encrypted. However, the present invention is not restricted to the encrypted PIN and the CPU information being stored correspondingly as long as the personal computer which has encrypted the PIN can be identified.
In above embodiment, the effective period is set with the certificate on the personal computer, but the present invention is not restricted thereto.
In above embodiment, the smart card reader/writer and the personal computer are not required to be isolated and therefore the smart card reader/writer may be provided as part of the personal computer.
In above embodiment, when the smart card has authenticated the PIN, the personal computer newly issues a certificate, but it is also possible to previously register or store the certificate. Moreover, in the above embodiment, the personal information, etc., is stored in the smart card, the present invention is not restricted thereto and various storage mediums which are capable of storing data may also be used.
Although embodiments of the present invention have been shown and described, it would be appreciated by those skilled in the art that changes may be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the claims and their equivalents.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2004-108938 | Apr 2004 | JP | national |
